Last line of defense

Discussion in 'other firewalls' started by SourMilk, May 23, 2007.

Thread Status:
Not open for further replies.
  1. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    Hi all. I've been playing with some backdoors, spyware and trojans that are encrypted by packers and and undetected by most antiviruses. With all the firewall leaktesting, would you consider the firewall as the last line of defense? Or, maybe HIPS with a firewall background like DSA would be last in line because some malware piggybacks on trusted applications to find their way to the internet. Of all the products discussed in these forums, which one(s) would you consider the last line of defense?

    For me, it would be a good HIPS.
     
  2. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,186
    No, exluding a router, a firewall is a first line of defense.
    Then comes hips's and virtualization software.
    An AV is not maybe even needed, but it is the last "line" of defense along with resident antispyware programs that I don't run.
     
  3. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    If the malware is already on the computer, then software firewalls would be the last line of defense.

    and btw I would consider HIPS as one the first lines of defense, not last.
     
  4. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi SourMilk :)

    Firewall are irrelevant for that kind of threats. A firewall is a packet filter.

    From the internal point of vue , an HIPS is the first line, from an external point of view , the firewall (and or the router) is the 1 st one... No discussion about that.

    I agree with you for the importance of an HIPS to deal with the malware you're talking about. A protection layer behind the firewall is a must.

    I'm presently using the free version of System Safety Monitor. The module for registry protection is not bad... By default the main registry key are protected against modifications and it's possible to add some other keys.

    May be a good starting point here is to add the starting key founded by Sysinternals Autoruns and add these keys to the registry module of SSM...

    Some other rules may be added in the programs, library and driver to increase the protection against some malware using the same procedure that the one used by the various firewall leak tests.

    Here the links for the software and site I'm talking about:

    SSM : http://www.syssafety.com/

    Autoruns: http://www.microsoft.com/technet/sysinternals/Security/Autoruns.mspx

    Firewall Leak Tests: http://www.firewallleaktester.com/


    :)
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    A traditional firewall can be described in this way, but most Windows personal firewalls go far beyond simple packet filtering and provide a good degree of process monitoring also. As such, a firewall that provides good leaktest performance should have a good chance of catching malware trying to send data out, making it a last line of defence.
    Currently this does apply with most firewalls - however an increasing number are adding "HIPS-like" features (Self Defence, etc) so in the near future, it is likely that these areas will be combined into hybird "Security Suites" (there are a couple available now).
    While the full version of SSM provides such protection, the free one does not - it only polls keys and if one changes it will try to change it back. This means that sophisticated malware can just keep redoing the change in order to "bypass" SSM, though it should be very obvious from the repeated alerts what is happening (Ghost Security's RegTest simulates this). Aside from that though, SSM can be an excellent security tool for those prepared to take the time to learn how it (and their system) functions.
     
  6. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    Thanks for all the replies. I guess you could say that firewalls are the first and last line of defense. Keeping hackers away and keeping private info on your disk. Either way you look at it, having a good firewall is essential. Thanks again for your astute views.

    SourMilk out
     
  7. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: OT of course, I am compelled to report this to the forum. Each time I click SourMilk's post, my download manager will pick a d/l command to d/l this: sourmilk.tif size 1.10kb Is this normal or some configuration of download mgr needs to adjusted ?
     
  8. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: It's gone now. Strange indeed. Now I can see his image(sour milk) in front of this user name.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    You are seeing a stored image (attempted download) from wilders server, some filters/download managers see this and alert.

    Capture31-08-2006-11.44.1824-05-2007-23.39.53.jpg

    If your alert does not show similar to the file shown above, please advise
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Some type of reboot-to-restore program.

    It seems to me more useful to begin with a security strategy which identifies
    known points of entry of malware, such as:

    1) through a port (135, 139, 445, etc - worms, trojans)

    2) remote code execution via a web browser exploit (embedded code, .ani, .wmf exploits, etc)

    3) email attachment ("please click on me for a FREE laptop!")

    4) infected file which you trustingly installed

    Each entry point can be a "first line," so to speak, so that description is not useful in distinguishing between those categories.

    If you choose solutions based on analysis of how each of the above types of exploits work,
    then you can be confident that you have those attack points secured, and, you are Safe.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: May 24, 2007
Loading...
Thread Status:
Not open for further replies.